DMZ Configuration

Unanswered Question
Dec 17th, 2008

I am trying to setup a dmz and I am running into problems. I setup a windows server in the dmz thinking I would be able to ping it or at least access the fileshare. No luck. (No I won't do this in a production environment) I am new at setting up a dmz and want to get the hang of how things will work. The ASA I am working with is currently in a test environment.

The quick startup guide for the Cisco ASA appliance suggests doing the following.

DMZ = /24

internal = /24

global (dmz) 50 netmask

nat (inside) 50

I then put a windows machine in the DMZ and configured it with an IP of

What I have found is I get no xlate, and I can't access the server via ping or the file share.

I have seen some references on this forum recommend

static (inside,dmz) netmask

Any suggestions...thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Wed, 12/17/2008 - 14:39

In the above case, Static is a better route to take since the packets are between the Inside and DMZ.

static (inside,dmz) netmask

In the above case, any traffic going to the DMZ will get translated to So the DMZ network will see the inside network as And if the DMZ is going to initiate the traffic to inside destined for, make sure the ACL applied on the DMZ permits this traffic.



*Pls rate if it helps*

JORGE RODRIGUEZ Wed, 12/17/2008 - 15:24

In addition you can do a nonat exempt acl instead towards either direction if you intend to

simply NAT excempt both networks dmz and inside .

access-list nonat extended permit ip

access-list nonat extended permit ip

nat (dmz) 0 access-list nonat

Best is to reference this link to understand NAT in firewalls



This Discussion